diff --git a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md index 1643f56e4f97..eb8b36f9bcf0 100644 --- a/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md +++ b/content/code-security/getting-started/best-practices-for-preventing-data-leaks-in-your-organization.md @@ -104,7 +104,7 @@ To ensure that all code is properly reviewed prior to being merged into the defa If a user pushes sensitive data, ask them to remove it by using the `git filter-repo` tool or the BFG Repo-Cleaner open source tool. For more information, see "[AUTOTITLE](/authentication/keeping-your-account-and-data-secure/removing-sensitive-data-from-a-repository)." Also, it is possible to revert almost anything in Git. For more information, see [{% data variables.product.prodname_blog %}](https://github.blog/2015-06-08-how-to-undo-almost-anything-with-git/). -At the organization level, if you're unable to coordinate with the user who pushed the sensitive data to remove it, we recommend you contact [GitHub Support](https://support.github.com/contact) with the concerning commit SHA. +At the organization level, if you're unable to coordinate with the user who pushed the sensitive data to remove it, we recommend you contact {% data variables.contact.contact_support %} with the concerning commit SHA. If you're unable to coordinate directly with the repository owner to remove data that you're confident you own, you can fill out a DMCA takedown notice form and tell GitHub Support. For more information, see [DMCA takedown notice](https://support.github.com/contact/dmca-takedown). diff --git a/content/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization.md b/content/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization.md index 519a1897ea52..fd8935894c75 100644 --- a/content/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization.md +++ b/content/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization.md @@ -125,11 +125,13 @@ Some of the features listed below are limited to organizations using {% data var | Manage [branch protection rules](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/managing-a-branch-protection-rule){% ifversion repo-rules %} and [repository rulesets](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets){% endif %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | | {% ifversion repo-rules %} | | View [rulesets for a repository](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets) | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | -| {%- endif %} | +| {% endif %} | | [Push to protected branches](/repositories/configuring-branches-and-merges-in-your-repository/managing-protected-branches/about-protected-branches) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | | Merge pull requests on protected branches, even if there are no approving reviews | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +| {% ifversion ghes < 3.16 %} | | Create tags that match a [tag protection rule](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | | Delete tags that match a [tag protection rule](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | +| {% endif %} | | [Create and edit repository social cards](/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/customizing-your-repositorys-social-media-preview) | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | | {% ifversion fpt or ghec %} | | Limit [interactions in a repository](/communities/moderating-comments-and-conversations/limiting-interactions-in-your-repository)| {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "x" aria-label="No" %} | {% octicon "check" aria-label="Yes" %} | {% octicon "check" aria-label="Yes" %} | diff --git a/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets.md b/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets.md index c373bc8591bd..cbe65c27de46 100644 --- a/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets.md +++ b/content/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets.md @@ -52,18 +52,31 @@ For each ruleset you create, you specify which branches or tags in your reposito {% endif %} +{% ifversion ghes < 3.16 %} + ## About rulesets, protected branches, and protected tags -Rulesets work alongside any branch protection rules and tag protection rules in a repository. Many of the rules you can define in rulesets are similar to protection rules, and you can start using rulesets without overriding any of your existing protection rules. +{% else %} + +## About rulesets and protected branches + +{% endif %} + +Rulesets work alongside any branch protection rules{% ifversion ghes < 3.16 %} and tag protection rules{% endif %} in a repository. Many of the rules you can define in rulesets are similar to protection rules, and you can start using rulesets without overriding any of your existing protection rules. + +{% ifversion ghes < 3.16 %} -{% ifversion tag-protection-rules-import %}Additionally, you can import existing tag protection rules into repository rulesets. This will implement the same tag protections you currently have in place for your repository. For more information, see "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules#about-importing-tag-protection-rules-to-repository-rulesets)."{% endif %} +Additionally, you can import existing tag protection rules into repository rulesets. This will implement the same tag protections you currently have in place for your repository. See "[AUTOTITLE](/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules#about-importing-tag-protection-rules-to-repository-rulesets)." + +{% endif %} -Rulesets have the following advantages over branch and tag protection rules. +Rulesets have the following advantages over branch {% ifversion ghes < 3.16 %} +and tag{% endif %} protection rules. -* Unlike protection rules, multiple rulesets can apply at the same time, so you can be confident that every rule targeting a branch or tag in your repository will be evaluated when someone interacts with that branch or tag. For more information, see "[About rule layering](#about-rule-layering)." +* Unlike protection rules, multiple rulesets can apply at the same time, so you can be confident that every rule targeting a branch {% ifversion ghes < 3.16 %}or tag{% endif %} in your repository will be evaluated when someone interacts with that branch{% ifversion ghes < 3.16 %} or tag{% endif %}. See "[About rule layering](#about-rule-layering)." * Rulesets have statuses, so you can easily manage which rulesets are active in a repository without needing to delete rulesets. * Anyone with read access to a repository can view the active rulesets for the repository. This means a developer can understand why they have hit a rule, or an auditor can check the security constraints for the repository, without requiring admin access to the repository. -* You can create additional rules to control the metadata of commits entering a repository, such as the commit message and the author's email address. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#metadata-restrictions){% ifversion ghec %}."{% else %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %} +* You can create additional rules to control the metadata of commits entering a repository, such as the commit message and the author's email address. See "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/available-rules-for-rulesets#metadata-restrictions){% ifversion ghec %}."{% else %}" in the {% data variables.product.prodname_ghe_cloud %} documentation.{% endif %} ## Using ruleset enforcement statuses diff --git a/content/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules.md b/content/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules.md index 624e163e347c..495c29a75cf2 100644 --- a/content/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules.md +++ b/content/repositories/managing-your-repositorys-settings-and-features/managing-repository-settings/configuring-tag-protection-rules.md @@ -2,22 +2,13 @@ title: Configuring tag protection rules shortTitle: Tag protection rules intro: You can configure tag protection rules for your repository to prevent contributors from creating or deleting tags. -product: '{% data reusables.gated-features.tag-protection-rules %}' versions: - fpt: '*' - ghec: '*' - ghes: '*' + ghes: '<3.16' --- -{% ifversion tag-protection-rules-deprecation %} +>[!NOTE] Tag protection rules will be deprecated on August 30, 2024, and in {% data variables.product.prodname_ghe_server %} version 3.16 and later, in favor of rulesets. Any tag protection rules still in use after the deprecation date will be auto-migrated, but you can also migrate them manually before the deprecation date. You can read more about this deprecation on the [{% data variables.product.prodname_blog %}](https://github.blog/changelog/2024-05-29-sunset-notice-tag-protections). ->[!NOTE] Tag protection rules will be deprecated on August 30, 2024 in favor of rulesets. Any tag protection rules still in use after the deprecation date will be auto-migrated, but you can also migrate them manually before the deprecation date. You can read more about this deprecation on the [{% data variables.product.prodname_blog %}](https://github.blog/changelog/2024-05-29-sunset-notice-tag-protections). - -{% endif %} - -## About tag protection rules - -When you add a tag protection rule, all tags that match the pattern provided will be protected. Only users with admin or maintain permissions{% ifversion edit-repository-rules %}, or custom roles with the "edit repository rules" permission{% endif %} in the repository will be able to create protected tags, and only users with admin permissions{% ifversion edit-repository-rules %} or custom roles with the "edit repository rules" permission{% endif %} in the repository will be able to delete protected tags. For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization#permissions-for-each-role)." {% data variables.product.prodname_github_apps %} require the `Repository administration: write` permission to modify a protected tag. +When you add a tag protection rule, all tags that match the pattern provided will be protected. Only users with admin or maintain permissions, or custom roles with the "edit repository rules" permission in the repository will be able to create protected tags, and only users with admin permissions or custom roles with the "edit repository rules" permission in the repository will be able to delete protected tags. For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/repository-roles-for-an-organization#permissions-for-each-role)." {% data variables.product.prodname_github_apps %} require the `Repository administration: write` permission to modify a protected tag. {% ifversion custom-repository-roles %} Additionally, you can create custom repository roles to allow other groups of users to create or delete tags that match tag protection rules. For more information, see "[AUTOTITLE](/organizations/managing-user-access-to-your-organizations-repositories/managing-repository-roles/managing-custom-repository-roles-for-an-organization)."{% endif %} diff --git a/data/reusables/organizations/require-ssh-cert.md b/data/reusables/organizations/require-ssh-cert.md index 082a6ebff341..76650012da08 100644 --- a/data/reusables/organizations/require-ssh-cert.md +++ b/data/reusables/organizations/require-ssh-cert.md @@ -4,6 +4,6 @@ **Note:** When you require SSH certificates, users will not be able to authenticate to access the organization's repositories over HTTPS or with an unsigned SSH key{% ifversion ghes %}.{% elsif ghec %}, regardless of whether the SSH key is authorized for an organization that requires authentication through an external identity system.{% endif %} - The requirement does not apply to authorized {% data variables.product.prodname_oauth_apps %} and {% data variables.product.prodname_github_apps %} {% ifversion ssh-cert-policy-allow-u2s-tokens %}(including user-to-server tokens){% endif %}, deploy keys, or to {% data variables.product.prodname_dotcom %} features such as {% data variables.product.prodname_actions %}{% ifversion fpt or ghec %} and {% data variables.product.prodname_codespaces %}{% endif %}, which are trusted environments within the {% data variables.product.prodname_dotcom %} ecosystem. + The requirement does not apply to authorized {% data variables.product.prodname_github_apps %} {% ifversion ssh-cert-policy-allow-u2s-tokens %}(including user-to-server tokens){% endif %}, deploy keys, or to {% data variables.product.prodname_dotcom %} features such as {% data variables.product.prodname_actions %}{% ifversion fpt or ghec %} and {% data variables.product.prodname_codespaces %}{% endif %}, which are trusted environments within the {% data variables.product.prodname_dotcom %} ecosystem. {% endnote %} diff --git a/data/reusables/repositories/rulesets-alternative.md b/data/reusables/repositories/rulesets-alternative.md index 8298c0281b20..0721248105b2 100644 --- a/data/reusables/repositories/rulesets-alternative.md +++ b/data/reusables/repositories/rulesets-alternative.md @@ -1 +1 @@ -As an alternative to branch protection rules or tag protection rules, you can create rulesets. Rulesets have a few advantages over branch and tag protection rules, such as statuses, and better discoverability without requiring admin access. You can also apply multiple rulesets at the same time. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)." +As an alternative to branch protection rules{% ifversion ghes < 3.16 %} or tag protection rules{% endif %}, you can create rulesets. Rulesets have a few advantages over branch{% ifversion ghes < 3.16 %} and tag{% endif %} protection rules, such as statuses, and better discoverability without requiring admin access. You can also apply multiple rulesets at the same time. For more information, see "[AUTOTITLE](/repositories/configuring-branches-and-merges-in-your-repository/managing-rulesets/about-rulesets)."